This PowerShell module provides a series of cmdlets to interact with the Symantec Endpoint Protection Cloud REST API
To interact with the SEP on-premise version API, you can use PSSymantecSEPM module instead
This small project is an attempt to interact with the Symantec/Broadcom API to manage
- Symantec Endpoint Protection (SEP) Cloud
- Symantec Endpoint Security (SES) Platform.
To interact with your SEP Cloud platform you need to
- Create an integration application and get your ClientID & Secret from your Symantec Cloud Platform
- Generate your authentication token (Go to SES > Generating your token bearer)
This module follows the Module Builder Project folder structure for easy maintenance and versioning This module follows the Module Builder Project folder structure for easy maintenance and versioning
2 ways to install this module :
Install-Module PSSymantecCloud
- Build it from sources (See Building your module)
Block-SepCloudFile
Clear-SepCloudAuthentication
Export-SepCloudAllowListPolicyToExcel
Export-SepCloudDenyListPolicyToExcel
Get-EDRDumps
Get-SepCloudCommands
Get-SepCloudDeviceDetails
Get-SepCloudDevices
Get-SepCloudEvents
Get-SepCloudFilesInfo
Get-SepCloudIncidentDetails
Get-SepCloudIncidentDetails
Get-SepCloudIncidents
Get-SepCloudPolices
Get-SepCloudPolicyDetails
Get-SepCloudTargetRules
Get-SepThreatIntelCveProtection
Get-SepThreatIntelFileProtection
Get-SepThreatIntelNetworkProtection
New-EDRFullDump
Start-SepCloudDefinitionUpdate
Start-SepCloudFullScan
Start-SepCloudQuickScan
Test-SepCloudConnectivity
Update-SepCloudAllowlistPolicy
For detailed information about each command, use Get-Help <command> -Full
Generate your authentication token via your SEP Cloud console integration menu and keep your ClientID & Secret
Test your authentication against the API Test your authentication against the API
Test-SepCloudConnectivity
True
list of all your devices
Get-SepCloudDevices
list of all your devices that are considered "SECURE", "AT_RISK", or "COMPROMISED"
Get-SepCloudDevices -Device_Status "AT_RISK"
Get details from a specific device
Get-SepCloudDevices -Computername MyComputer
id : abcdefghijkl
name : MyComputer
host : MyComputer
domain : contoso.com
created : 10/10/2022 11:47:44
modified : 19/07/2023 21:57:27
os : @{ver=10.0.19045; name=Windows 10 Enterprise Edition; type=WINDOWS_WORKSTATION; 64_bit=True; lang=fr; major_ver=10; minor_ver=0; sp=0; tz_offset=60; user=first.last; user_domain=CONTOSO.COM; vol_avail_mb=93037; vol_cap_mb=241126}
hw : @{uuid=XXXXXXX-E406-5392-66BC-B3AEE4BC9185; bios_ver=ACER - 12F0 R1CET66W(1.35 ); cpu_mhz=2096; cpu_type=AMD64 Family 23 Model 96 Stepping 1; log_cpus=12; mem_mb=15592...}
adapters : {@{addr=74:4C:A1:B5:C9:0D; category=Public; ipv4Address=192.168.128.20; ipv4_gw=192.168.128.1; ipv4_prefix=24; mask=255.255.255.0}}
is_virtual : False
dns_names : {192.168.1.1…}
parent_device_group_id : XXXX-KeUTx2ao0zIr0fpyA
parent_device_group_name : Workstations
device_status : SECURE
connection_status : ONLINE
Get detailed info from an asset using device_ID
Get-SepCloudDeviceDetails -Device_ID abcdefghijkl
list of all your opened incidents
Get-SepCloudIncidents -Open
list of all your incidents, including all events
Get-SepCloudIncidents -Include_Events
Note: Broadcom stores all data for a maximum of 30 days
Get a custom list of incidents based on a specific query, using supported Lucene query language.
Example : different incident states : 0 Unknown | 1 New | 2 In Progress | 3 On Hold | 4 Resolved | 5 Closed
Get-SepCloudIncidents -Query "(state_id: 4 OR state_id: 5)"
The Protection APIs provide information whether a given file, domain or CVE has been blocked by any of Symantec technologies
file coverage
Get-SepThreatIntelFileProtection -file_sha256 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a | fl
file : 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a
state : {@{technology=AntiVirus; firstDefsetVersion=20160428.021; threatName=Trojan.Gen.2}, @{technology=Intrusion Prevention System; firstDefsetVersion=20221025.061; threatName=System Infected: Trojan.Backdoor Activity 634},
@{technology=Behavioural Analysis & System Heuristics; firstDefsetVersion=20230420.001; threatName=SONAR.SuspScr!gen1}}
domain coverage
Get-SepThreatIntelNetworkProtection -domain nicolascoolman.eu | fl
network : nicolascoolman.eu
state : {@{technology=AntiVirus; firstDefsetVersion=2023.03.14.024; threatName=WS.Reputation.1}, @{technology=Behavioural Analysis & System Heuristics; firstDefsetVersion=20230301.001; threatName=SONAR.Heur.Dropper}}
CVE coverage
Get-SepThreatIntelCveProtection -cve CVE-2023-35311 | fl
cve : CVE-2023-35311
state : {@{technology=Intrusion Prevention System; firstDefsetVersion=20230712.061; threatName=Web Attack: Microsoft Outlook CVE-2023-35311}}
List of all policies
PS C:\> Get-SepCloudPolices
total policies
----- --------
111 {@{name=Block USB Device Control Policy; author=Aurelien Boumanne; policy_uid=xxxxxxx...
Get policy details for a specific version
Get-SepCloudPolicyDetails -Name "My Policy" -Version 5
Note: By default, will output the latest version
Easily export any allow list policy in an Excel format Easily export any allow list policy in an Excel format
Get-SepCloudPolicyDetails -Name "My Allow List Policy" | Export-SepCloudPolicyToExcel -Path "allow_list.xlsx"
To build the module, you need to have ModuleBuilder
-
Install ModuleBuilder
Install-Module -Name ModuleBuilder
-
Clone the PSSymantecCloud repository
git clone https://github.com/Douda/PSSymantecCloud
cd PSSymantecCloud
-
run
Install-RequiredModule
-
run
Build-Module .\Source -SemVer 1.0.0
Note: a build version will be required when building the module, eg. 1.0.0
Note: a build version will be required when building the module, eg. 1.0.0
compiled module appears in the Output
folder
- import the newly built module
Import-Module .\Output\PSSymantecCloud\1.0.0\PSSymantecCloud.ps1m -Force
- import the newly built module
Import-Module .\Output\PSSymantecCloud\1.0.0\PSSymantecCloud.ps1m -Force
ModuleBuilder will automatically apply the next semver version if you have installed gitversion.
To manually create a new version run Build-Module .\Source -SemVer 0.0.2
ModuleBuilder - https://github.com/PoshCode/ModuleBuilder ModuleBuilder - https://github.com/PoshCode/ModuleBuilder